Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

API allows all users to access and change all the data #26

Open
AllanEngland opened this issue Mar 20, 2024 · 7 comments · Fixed by #30
Open

API allows all users to access and change all the data #26

AllanEngland opened this issue Mar 20, 2024 · 7 comments · Fixed by #30
Assignees
@AllanEngland

Comments

@AllanEngland
Copy link
Contributor

Authenticated users should be restricted in what they can see and do.

Roles may be needed for a full implementation, but in the first instance an investigator should not be able to see and edit proposals they are not associated with.
@AllanEngland
Copy link
Contributor Author

While looking at this I've noticed none of the fields in the database table Person other than the primary key (ID) are unique, so more than one entry can have the same email address or orchid id.

@AllanEngland
Copy link
Contributor Author

Using a combination of the JWT accessToken and subject map I can identify a user, map them to a database id and thus filter what they can see.

This works with any GET requests, but PUT and POST requests don't seem to have an accessToken - its contents are null. I'm now trying to find out why.

@AllanEngland AllanEngland self-assigned this Mar 21, 2024
@pahjbo
Copy link
Member

pahjbo commented Mar 22, 2024

Using a combination of the JWT accessToken and subject map I can identify a user, map them to a database id and thus filter what they can see.

This works with any GET requests, but PUT and POST requests don't seem to have an accessToken - its contents are null. I'm now trying to find out why.

it is because only the GET method has the @RolesAllowed annotation, so it is the only one that requires authentication ATM

@AllanEngland
Copy link
Contributor Author

I thought that might have something to do with it, but when I put @RolesAllowed("default-roles-orppst") on a PUT or POST method it returns a 401 unauthorised error.

@alan-stokes
Copy link
Contributor

alan-stokes commented Mar 22, 2024 via email

@pahjbo pahjbo mentioned this issue Mar 26, 2024
Closed
@AllanEngland AllanEngland linked a pull request Mar 26, 2024 that will close this issue
26 api restrict user scope #30
Merged
@AllanEngland
Copy link
Contributor Author

Didn't intend to close this issue, still outstanding;

  • Authorisation around PUTs, POSTs and DELETEs
  • Fix the unit tests, currently fail due to lack of user data (UUID) in the web token.
  • Standardise responses so endpoints throw appropriate WebApplicationException for auth errors.

@AllanEngland AllanEngland reopened this Apr 4, 2024
@pahjbo
Copy link
Member

pahjbo commented Apr 4, 2024

Didn't intend to close this issue, still outstanding;

  • Authorisation around PUTs, POSTs and DELETEs

it is not necessarily dependent on the verbs, but rather the content type see fabien0102/openapi-codegen#240

  • Fix the unit tests, currently fail due to lack of user data (UUID) in the web token.

I have already fixed the tests

  • Standardise responses so endpoints throw appropriate WebApplicationException for auth errors.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@AllanEngland AllanEngland

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

26 api restrict user scope orppst/pst-api-service
3 participants
@pahjbo @AllanEngland @alan-stokes